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Method and device for efficient multiparty multiplication 



The invention relates to a method for a party participating in a secure 
multiparty multiplication protocol between participants, a device being arranged for 
implementing this method, and a computer program product having computer executable 
instructions for causing a programmable device to perform this method. 
5 Secure multiparty computation is the process where a number of participants 

compute a function / to obtain an unencrypted output. During the computation, only the 
output becomes available to the participants. 

10 Some well known examples of these kind of computations are auctions, the 

Millionaires problem, secure function evaluation, voting, crypto computing with rational and 
secure profile matching. 

Homomorphic threshold cryptosystems provide a basis for secure multiparty 
computation. For a given w-ary function f 9 a circuit of elementary gates is composed that, 

15 given encryptions of */,...,x„ on its input wires, produces an encryption of/^y,...,^ on its 

output wire. The elementary gates operate in the same fashion. The wires of the entire circuit 
are all encrypted under the same public key; the corresponding private key is shared among a 
group of parties. 

The elementary gates operate on bits or on elements of larger domains (rings 
20 or fields), where apparently the latter type is preferred from an efficiency point of view. 

A basic tool in the toolbox for computing under the encryption, is a secure 
multiplication protocol. And although addition gates can be evaluated without having to 
decrypt any value, taking foil advantage of the homomorphic property of the ciyptosystem, 
multiplication gates, however, requires at least one threshold decryption to succeed. 
25 In US patent 6,772,339, a method is described for secure multiparty 

computation comprising: generating a data set based on a function to be computed, said data 
set comprising pairs of first data and second data; for each pair of first data and second data, 
encrypting said first data and said second data; mixing pairs of encrypted first data and 
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second data; comparing encrypted input data with said encrypted input data to detect a match; 
and selecting encrypted second data corresponding to said detected match. 

The resulting protocol for evaluating multiplication gates is, despite its 
conceptual simplicity, quite inefficient. 

5 



It is therefore an object of the invention to provide a method and a device that 
provide an efficient building block for multiparty computations, in particular for the 
multiplication protocol. 

10 The object of the invention is achieved by a method for a party participating in 

a secure multiparty multiplication protocol between participants, the protocol being arranged 
to compute the product of private first data and encrypted second data, wherein the protocol 
comprises a subprotocol comprising the steps of -the party obtaining first data), which is 
either -private first data or -first data from a two-valued domain, -the party obtaining 

15 encrypted second data, -the party computing encrypted output data which comprises a 

randomized encryption of the product of the first data and the second data, using a discrete . 
log based cryptosystem, and -the party generating a proof being arranged to show that the 
encrypted output data is correct. 

A multiplication protocol takes as input a private or encrypted multiplier x and 

20 an encrypted multiplicand y and produces in polynomial time as output an encryption of the 
product xy. The protocol should not leak any information on jc, y, and xy. Furthermore, for 
security reasons it is required that the protocol generates a publicly verifiable proof that the 
product is computed directly. 

According to the method according to the invention, and given private or 

25 encrypted first data ffxJJ = (a, b) » (gf, gh r ) and encrypted second data ffyJJ = (c, d), where 
party P knows r, x, party P computes a randomized encryption [[xy]] = (e, j) = (g , ff) * 
[&]T> with s 6r Z q , using the homomorphic properties of the discrete log based 
cryptosystem. The Party P also generates a proof showing that the output is correct, which 
means that it proves knowledge of witnesses r; s; x e Z q satisfying a = g r , b= gh r > e = g<?,f 

30 = /ftf. 

The method allows to implement applications efficiently, for example the 
method allows at least two users to compare their private data without revealing any other 
information than whether they are similar or not, according to some measure. 
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It is a further advantage of such a discrete log based solution that distributed 
key generation for the threshold version is relatively simple. 

It is an additional advantage that the method also addresses treating the 
malicious case and addresses fairness for the two-party case. 
5 It is a further advantage that the invention performs particularly well for ad 

hoc contacts among a large group of peer users, where it is important that each user needs 
only a limited amount of set-up information (independent of the total number of users), and 
the total time of execution — including the time for distributed key generation — for running a 
protocol between any two users is limited as well. 
10 The method of the multiplication protocol requires that one of the multipliers 

is private, that is, known by a single party. 

This restriction allows the multiplication protocol to exist under the Diffie- 
Hellman assumption. 

An advantageous method according to the invention is characterized in that the 
15 first data is random data from a two-valued domain. 

The method allows at least two users to obtain the product of two numbers, 
one of which is a random number from a two-valued domain, and a proof that the result was 
correctly computed. 

The method implements a protocol which enables to compute the encrypted 
20 product of two encrypted numbers. 

In the protocol according to claim 2, which is referred to as the conditional 
gate, the multiplier x is from a dichotomous (two-valued) domain. This restriction allows the 
multiplication protocol to exist under the Diffie-Hellman assumption. It is realized by the 
inventors that elementary gates operating on bits are sufficient for efficiently implementing 
25 multiparty computations including multiplication. 

The protocol according to claim 2 is able to efficiently multiply the encrypted 
values x and y, if x is restricted to a two-valued domain. 

An advantageous method according to the invention is characterized in that the 
discrete log based cryptosystem is the ElGamal ciyptosystem. 
30 It is understood by the inventors that basically homomorphic ElGamal suffices 

for efficiently handling a wide range of problems. The encryptions of second data, are 
homomorphic ElGamal encryptions, where it is understood that these encryptions are 
randomized and the public key for these encryptions is always the same. The corresponding 
private key is shared among a number of parties. 
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It is an advantage that the current method works under the standard Decision 
Diffie-Hellman assumption using just homomorphic threshold ElGamal encryption, which is 
far less costly than for example the use of RSA-like cryptosystems such as Paillier's 
cryptosystem, as the generation of a shared RSA modulus for the corresponding threshold 
5 cryptosystems is costly, often dominating the cost of an entire application. Even for the two- 
party case, sharing an RSA modulus is a non-trivial task. In contrast, distributed key 
generation for discrete log based cryptosystems is simple, and practically for free in the two- 
party case. 

As an additional advantage, ElGamal allows for solutions based on any 
10 discrete log setting, such as elliptic curves or XTR. 

The work for each party for evaluating a conditional gate amounts to about 12 
exponentiations, whereas the Mix and Match approach from the aforementioned US patent 
requires approximately 150 exponentiations for a similar multiplication gate, as each party 
needs to blind and permute the 4x3 ElGamal encryptions constituting the encrypted truth 
15 table of the gate and provide a proof of correctness; each party must also take part in four 
plaintext-equality tests, on average. 

The method according to the current invention is therefore probably the most 
efficient solution to date for Yao's millionaires problem and many other problems, such as 
secure auctions. 

20 An advantageous method according to the invention is characterized in that the 

encrypted data are Pederson commitments. 

Often a slight optimization is possible by using a Pedersen commitment 
«x» = ^""instead of an ElGamal encryption ffxJJ = (gf, gH) for the multiplier. 

An advantageous method according to the invention is characterized in that the 
25 protocol comprises the further step of -the party transmitting the proof to at least one of the 
other participants, 

An advantageous method according to the invention is characterized in that the 
protocol comprises the further step of -the party transmitting the encrypted output data to at 
least one of the other participants, 
30 An advantageous method according to the invention is characterized in that the 

protocol is executed between two parties. 

The object of the invention is further achieved by a device being arranged for 
implementing the method according to claim 1. 
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The object of the invention is further achieved by a computer program 
product, for enabling multiparty computations, having computer executable instructions for 
causing a programmable device to perform the method according to claim 1. 



Fig. 1 illustrates a subprotocol of the multiplication protocol, and 

Fig. 2 shows a device for implementing the method according to the invention. 



10 A multi-party multiplication protocol is a protocol carried out by two or more 

participants. 

The input of the protocol consists of two (possibly encrypted) numbers, x and 
y. The number x can be provided by player Pi and y can be provided by player P 2 . At the end 
of the protocol, both players get the product [[xy]] as a result. Moreover the parties get a 
1 5 proof that the result was correctly computed and that the other player(s) did not cheat. 

First some preliminaries for the computations are discussed. 
Let G=<g> denote a finite cyclic (multiplicative) group of prime order q for 
which the Decision Diffie-Hellman (DDH) problem is assumed to be infeasible. 

For public key h e G, additively homomorphic ElGamal encryption is used, 
where message me Z q is encrypted as a pair (a t b)=(gf, g* h r ), with r e Z q . The 
homomorphic property is that component wise multiplication of encryptions of m and m\ 
respectively, yields an encryption of m+m' (modulo q): (a t b) *(a',b') = (aa',bb') = (g +r \ g 1 *" 1 ' 

Given an encryption (a t b)=(gf t g 1 h r ) as common input, standard techniques 
yield a proof of knowledge for showing knowledge of the (unique) witness (m>r). (Standard 
ElGamal encryption with encryptions of the form (g r t m h r ) for m s G is homomorphic in a 
multiplicative sense but lacks such a proof of knowledge.) 

An equivalence relation is defined on GxGby stating that encryptions fab) 
and (a\V) are equivalent iff log g (a/a 9 ) = log h (b/b'). Using (1,^), msZ q9 as canonical 
representatives, ffmJJ is used to denote the equivalence class of (!,£"). In other words, [fmJJ 
denotes the set of all ElGamal encryptions of m (under public key h). The operations on the 
direct product group Gx G are lifted to the equivalence classes in the usual way. The 
homomorphic property then implies that ffxJJ * [fyJJ = f[x+y]J and ffxjf = ffcxJJ. 
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Thus addition and multiplication by a scalar are easily accomplished. These 
operations can easily be verified when implemented in a deterministic fashion. 

Randomization (or blinding) of ElGamal encryptions is an important primitive 
as well. This amounts to multiplying a given encryption with a random element (a>b) Gr 
5 ffOJJ. Proving that log H a = logh b shows that (a,b) is indeed an encryption of 0. 

Given the private key cc=log s h, decryption is performed by calculating b/a a 9 
which is equal to g*" for some meZ q . Recovering m from gf" is supposed to be hard in general, 
hence it is necessary to view this cryptosystem with respect to a set MeZ q of sufficiently 
small size such that finding m from g 7 " is feasible whenever meM. In the current invention, 
10 however, the size of Mwill be very small, often \M\—2. 

The ElGamal cryptosystem is semantically secure under the DDH assumption. 

In a (^-threshold version of ElGamal, 1< t< n> encryptions are computed 
w.r.t. a common public key h (as above) while decryptions are done using a joint protocol 
between n parties, each party possessing a share of the private key a = log s h. As long as at 
15 least t parties take part, decryption will succeed, whereas fewer than t parties are not able to 
decrypt successfully. The parties obtain their share by running a distributed key generation 
protocol. 

Since the invention is particularly of interest to two-party computations, more 
details are presented for the (2,2)~threshold scheme. Distributed key generation is achieved 
20 by having parties Pi, P 2 first broadcast commitments c t = g a i h r i9 with c^r, s Z q for i—l M 2 9 and 
then broadcast the values n along with proofs of knowledge of log g h h where A, =c/Hi for 
/=i,2. The joint public key is h = hjh 2 , with private key o:= Cb + a 2 . To decrypt an 
encryption (a,b), player P t produces d t = a a i9 along with a proof that log a d f is equal to log g h h 
The message is then recovered from b/(aja^). 
25 Clearly, (2,2>threshold ElGamal allows for ad-hoc use. The effort for 

generating the keys is about the same as the effort for performing a decryption. 

Given two homomorphic encryptions [[x]] f [[y]J the homomorphic encryption 
[fay]] can be computed by the protocol comprising the following steps: 

Player P t chooses a random value n and sends ffrJJ to player P 3 -i along with a 
30 proof that it knows r h for i=J,2. 

The players jointly decrypt [fa+ri+n]J. 

Let xj = x+r 2 , x 2 = -r 2 . Player Pi sends [fx J], [ffJ]=Xi [[ b ]] to player P 3 . f 
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along with a proof, for i—l 9 2. 

Both players may compute [[ fi 77+ [If 2 77 "= [PvJJ- 
If any of the proofs fails, the protocol is aborted. 

As a last preliminary, the Pedersen Commitment is shown. Given g,he G, a 
5 commitment to message meZ q is a value c =gf" h r , with reRZ q . The commitment is opened 
by revealing m and r. Pedersen's scheme is unconditionally hiding and computationally 
binding, under the assumption that log g h cannot be determined. The commitment scheme is 
also additively homomorphic, and «m» will be used to denote a commitment to message 
m, where the randomization is suppressed. 

10 According to these preliminaries, a function f can be evaluated securely in a 

multiparty setting iff can be represented as a circuit over Z q consisting only of addition gates 
and simple multiplication gates. An addition gate takes encryptions ffxJJ and f£yJJ as input 
and produces ffxJJ * ffyJJ = [fx + yJJ as output, and a simple multiplication gate takes ffxJJ 
as input and produces ffxjjc = ffcxJJ as output, for a publicly known value c e Z q . To be 

15 able to handle any function f, however, there is a need for more general multiplication gates 
for which both inputs are encrypted. 

If no restrictions are put on x or y, a multiplication gate, taking [[x]] and [[y]] 
as input and producing [[xy]] as output efficiently, cannot exist assuming that the DH 
problem is infeasible. Therefore, a special multiplication gates is used, putting some 

20 restrictions on the multiplier jc. 

In a first embodiment of the invention, the method requires that the multiplier 
x is private, which means that it is known by a single party. 

. In a second embodiment of the invention, the method comprises the use of a 
special multiplication gate. This gate, referred to as the conditional gate, requires that the 

25 multiplier x is from a dichotomous (two-valued) domain. This protocol will be referred to as 
a multiplication protocol with a shared dichotomous multiplier. This protocol is less general 
but far more efficient than the protocols already known. 

Despite these restrictions, the method according to the invention leads to very 
efficient multiparty protocols. 

30 First, in the first embodiment according to the invention, a multiplication 

protocol is presented where the multiplier x is a private input (rather than a shared input). 
That is, the value of x is known by a single party P. No restriction is put on the multiplicand 
y. Multiplication with a private multiplier occurs as a subprotocol in the protocol for the 
conditional gate, and in a number of separate other protocols. 
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Fig. 1 illustrates two different embodiments of the invention. Party P, 100, 
obtains private first data, [fx]], 101, and encrypted second data, [[yj], 102, computes 
encrypted output data, [[xy]] 9 103, including a correctness proof 104. Obtaining can be either 
receiving from a different party, retrieving from internal memory, or generating internally. 
5 ■ Given encryptions ffx]] = (a t b) = (g\ gh r ) and fly]] = (c 9 d) 9 where party P 

knows r, x 9 party P computes on its own a randomized encryption [[xy]] = (e, f) = (g 5 , h s ) * 
[fy]f> with s 6r Z q , using the homomorphic properties. Party P then broadcasts [[xy]] along 
with a proof showing that this is the correct output, which means that it proves knowledge of 
witnesses r; s; x e Z q satisfying a = gf, b = e = gV,/= A V. 
10 For later use, the above protocol needs to be simulated. The simulator gets as 

input [[x]J and [£yj], and a correct output encryption [[xy]], but it does not know x. As a 
result, the simulator only needs to add a simulated proof of knowledge. The simulated 
transcript is statistically indistinguishable from a real transcript. 

It is possible to use a variation of the above protocol, where the private 
15 multiplier x is multiplied with several multiplicands y f at the same time. Furthermore, a slight, 
optimization is possible by using a Pedersen commitment «jc» = g*/*' r instead of an 
ElGamal encryption [[x]] = (g, g K h r ) for the multiplier. 

In the second embodiment of the invention, the conditional gate is used as a 
special type of multiplication gate that can be realized in a surprisingly simple and efficient , 
20 way using just standard homomorphic threshold ElGamal encryption. As addition gates are 
essentially for free, the conditional gate not only allows for building a circuit for any 
function, but actually yields efficient circuits for a wide range of tasks. 

The dichotomous domain {-1,1} is convenient for explanation purposes. 
Domain {0,1} or any other domain {a,b}, a * b 9 can be used instead, as these domains can be 
25 transformed into each other by linear transformations. These transformations can also be 
applied to encryptions. 

The conditional gates will be illustrated along two different protocols. 

In the first protocol to implement the conditional gate, the protocol enables 
players P h ... ,P Nt N>2 9 to compute an encryption [[xy]] securely. For simplicity, it is 
30 assumed that the players also share the private key of the homomorphic encryption scheme 

aih 

In protocol stage 1 : for i=l..N 9 player Pi takes [[x^]] as input and chooses Si 
e R (-1,1). Player P t broadcasts encryptions fls]] and [fa x^]] 9 and a proof that [fa x^J] is 
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correct w.r.t ffsJJ and [fxi-J], using the protocol for multiplication with a private multiplier. 
Let x f = SfXi-j. 

In protocol stage 2: the players jointly decrypt ffx^JJ to obtain x N . Each player 
checks that x N e{-l,l}. Givenx N and ffyJJ, the encryption [fx N yJJ is computed publicly. Let 
5 zo =x N y. 

In protocol stage 3: for i=l..N, player Pi takes [[zj-i]] as input and broadcasts 
an encryption [[s t z^J], and a proof that [faz^]] is correct w.r.t. ffsJJ and ffz^JJ, using the 
protocol for multiplication with a private multiplier. Let z t = 5/ z/.y. 

The output of the protocol is ffz^JJ = /7*y7_7. The protocol requires a single 
10 threshold decryption only. Since xnGr{-1,1} must hold, decryption is feasible for the 
homomorphic ElGamal encryption scheme. The protocol requires roughly 2N rounds. 

As the value of jc^ is statistically independent if at least t=N/2 honest players 
are able to complete the protocol successfully, the value of xn does not reveal any 
information on x. 

15 The protocol can optionally be made robust. If a player Pi fails in protocol 

stage 2, it is simply discarded in the remainder of the protocol. For stage 2, the joint 
decryption step is robust by definition. If the check x N e{-l,l} fails, the players are required to 
broadcast a proof that Sie{-l,l}. The players who fail to provide a correct proof are 
discarded, and their s t values are decrypted. The value of xn is adjusted accordingly. 

20 Similarly, in stage 2, if player Pi fails to complete its step, its value s t is decrypted and the 
encryption ffs$ z^jj is computed publicly. 

This protocol is correct, sound, and computational zk. 
In the second protocol implementation of the second embodiment, again the 
dichotomous domain is {-1,1} used but any different domain could be used instead using a 

25 linear mapping. 

Let [fx]], ffyJJ denote encryptions, with x e {-1,1} ^Z^andy <e Z q . The 
following protocol enables parties Pi..P n , n > 1, to compute an encryption [[xy]] securely. 
For simplicity, it is assumed that these parties also share the private key of the (t + 1; n)- 
threshold scheme [[.]], where t < m The protocol consists of two phases. 

30 Protocol phase 1 . Let x0=x and yO = y. For i = L.n, party P, in turn takes [fa. 

JJ and [[yi-J] as input, and broadcasts a commitment with s t e R {-1,1}. Then P f 

applies the private-multiplier multiplication protocol to multiplier and multiplicands 
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ffrt-J] and [fyi-i]], yielding random encryptions ffxJJ and ffyJJ 9 where x t = spu andyi = 
^/.y. If Pi fails to complete this step successfully it is discarded immediately. 

Protocol phase 2. The parties jointly decrypt [[xj] to obtain jc„. If decryption 
fails because the number of correct shares is insufficient, the entire protocol is aborted. If 
5 decryption fails because x n 0 {-1,1}, each party P t is required to broadcast a proof that Sj e {- 
1,1}. Parties failing to do so are discarded, and the protocol is restarted (starting again at 
phase 1). Given x„ and [fynj], an encryption ffx^J is computed publicly. If all parties are 
honest, x^ = xy. 

Any party may disrupt the protocol for at most one run of phase 1 by picking a 
10 value Si outside the range {-1,1 }. For * < n/2, the protocol is robust, allowing up to / failing 
parties in total (as the threshold decryption step tolerates up to t failing parties). For n/2 <t < 
«, the protocol is not robust, but the adversary does not get an advantage in this case. 

The protocol requires a single threshold decryption only. Since x n is two- 
valued is required to hold, decryption is feasible for the homomorphic ElGamal encryption 
15 scheme. As the value of x„ is statistically independent of x, the value of x„ does not reveal any 
information on jc. 

If the total number of parties is large compared to the total number of 
conditional gates to be evaluated, an alternative way to guarantee robustness is to let the 
parties use encryptions ffsJJ instead of commitments «s f » in phase 1. Again, if x n £{-1, 

20 1} in phase 2, all parties are required to prove that si e {-1,1}. Failing parties are discarded 
and their si values are decrypted to correct the value of x n . 

The performance of the protocol is determined by the communication 
complexity (in bits) and the round complexity. In phase 1 each party applies the private- 
multiplier multiplication protocol, broadcasting about 10 values. For decryption each party 

25 broadcasts 3 values at the most. Hence, the communication complexity is 0(nk) where the 
hidden constant is very small. In general, the round complexity is 0(n), which is high, but in 
case of two-party computation it is 0(1} . Also, when many conditional gates are to be 
evaluated in parallel, one may take advantage of the fact that the order in which parties Pi..P n 
execute phase 1 of the conditional gate protocol can be chosen arbitrarily. 

30 As a first application of the conditional gate, xor-homomorphic ElGamal 

encryption scheme is shown. Given ffxJJ and [[y]] with x,ye{0,l} 9 [[ x ®y ]] is computed as 
follows, using one threshold decryption: 

step 1 : publicly convert ffxJJ to ffx'JJ withx' = 2x-l e {-1,1}. 
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step 2: apply the conditional gate to [fx]] and ffyj] to obtain [[x'y]]. 

step 3: publicly compute [fx - x'y]], which is equal to [fx By]]. 

The application of the conditional gate requires a threshold decryption, which 
seems unavoidable for achieving xor-homomorphic ElGamal encryption. 
5 The work per party is very limited, about 13 exponentiations for each 

conditional gate. In contrast, the Mix and Match approach of according to the US patent 
mentioned would require each party to mix the 4 rows of a truth table for x (By in a verifiable 
way (Mix step, requiring 24 exponentiations for blinding the entries and, say, 6x12 
exponentiations for the correctness proof (using the efficient protocol of J. Groth, "A 
10 verifiable secret shuffle of homomorphic encryptions, public key cryptography PKC'03, 

volume 2567 of Lecture Notes in Computer Science, pages 145-160, Berlin, 2003, Springer- 
Verlag) and perform on average 4 plaintext equality tests to find ffx (By]] given ffx]] and 
ffy]] (Match step, requiring 4x7 exponentiations). Hence, the conditional gate provides 
approximately a ten-fold improvement, counting exponentiations. 
15 As a second application of the conditional gate, implementation of a logical 

gate is shown. 

Any operator on two bits x and y can be expressed in a unique way as a 
polynomial of the form: a 0 + aj x + a 2 y + a 3 xy. The coefficients are not necessarily binary. 
For example, the exclusive-or operator ©satisfies x (By = x+y-2xy. There are exactly 16 
20 polynomials of type {OJ} 2 —> {0,1}, which is immediate if one considers the following 

normal form: boxy + bjx(l-y) + b2(l-x)y + bs(l-x)(l-y), where the coefficients are binary. In 
general, the coefficients need not be integers either, if one works with other two- valued 
domains such as {-1,1}. 

In the following applications of the conditional gate, the special multiplication 
25 gate is applied to obtain efficient circuits for basic operations such as integer comparison and 
addition of binary represented numbers. 

As a third application of the conditional gate, an efficient solution for a slight 
variant of Yao's millionaires problem is shown that allows extensions to more general 
situations. In this application, the inputs are given by their binary representations, i.e. x=(x n . 
30 xq) and y=(y„-i,.., y$ respectively. A multivariate polynomial P over Z is defined that 

implements the sign function. 

Several polynomials can be used to implement this function. It appears that the 
most efficient solution can be constructed based on the following multivariate reduction 
polynomial: for x,ye{0,l} 9 F(s,x,y) = s + (l-s*)(x-y). The polynomial Fcan be efficiently 
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evaluated by introducing an auxiliary variable v^l-s 2 . Initially, s=0 and v=L Then, the 
computation 

s,v = s + v (x-y), v - v (x-y) 2 is repeated for all components of x and >>, giving 
the desired result. The expression v - v (x-y) 2 can be computed as v(l-x+2xy-y). In order to do 
5 this computation in a private way, three basic steps are required, where a player multiplies its 
x or y with a given homomorphic encryption. 

Player 1 computes ffvxJJ from ffvJJ and ((x)). 

Player 2 computes ffvyJJ and ffvxyJJ from /"/V77 resp. /Jfwjy and (6>J^. 
Both players may compute [fs+vx-vyj] (which is the new s), 

10 - Both players may compute [fv-vx+2vxy-yy]] (which is the new v). 

If needed, s can be decrypted using threshold decryption. Note that this 
algorithm needs three "multiplication with a private multiplier" protocols for each bit. The 
second step in the algorithm can be performed efficiently. This approach can also be applied 
to the Socialist Millionaires problem to produce the result in encrypted form. 

15 As a fourth application of the conditional gate, addition of two numbers is 

shown. To add two numbers x,y given by their binary representation, the respective bits are 
added, also taking the carry into account. To produce the next bit of the output z, it is 
necessary to compute fftJJ = [[xi+yt+Ci.J] 9 where c^j is the carry value. It holds that zf=t 
mod 2, and cj=Lt/2j. Computations are z/ =jej+y / +cw -2 jcj y t -2x t <?,_/ - 2y t + 4 jc/>>, c t .i and 

20 c t =xtyi + XjCi„i +y f clj - 2xjy&u. If both x and y are private, all of these terms can be 

computed using the "simple" multiplication protocol. 4 such multiplications are needed for 
each bit. So, 0(n) in total, using n rounds. If only one is private, then one dichotomous 
multiplication is needed. If both are shared, the dichotomous multiplication is used all the 
time. 

25 Similarly, multiplication of two numbers x,y is achieved by the school method. 

This requires 

0(n 2 ) bit multiplications. 

As a fifth application of the conditional gate, computation of the Hamming 
distance is shown. Given two vectors x and y with entries in Z q , the Hamming distance 

n 

30 d H (x,y) between jc andy is defined as d H (x t y)- ]j£ S(x r yi) 9 where d(x)-0 ifx=0 and S(x)-1 

if x*€ . The goal of this section, is to compute securely the Hamming distance between x and 
y without revealing any further information about x and y . More precisely, it is assumed that 
there are two players Pj and P 2 each having a vector, say x andy respectively. They want to 
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compute d H (x,y) by performing a two-party protocol. The i-th entry of the vector x is denoted 
by xieZ q . he entries x, can be represented as binary strings through the following 

m 

representation: jc/= £ x tj 2?. The equality tests are done using variable h. 

7=0 

At the end of the protocol Pi and P2 decrypt h . Invariant in this protocol is 
5 h=S^ (xk-y/c) 2 - In order to compute d H (x,y), the above defined protocol has to be performed 
for every entry x t , yi of the vectors x and y . Denote the outcomes for the entry i by h t . Then, 
[[d H (x,y)]]=[[ X hj]= Jl ffhJJ. Then both players decrypt together [[d H (x t y)tf. 

i 1 

As a sixth application of the conditional gate, computation of the Euclidean 
distance is shown. The difference with the Hamming distance computation consists in the 
1 0 measure of similarity. For two vectors jc and y of length n , the Euclidean distance d E (x,y) is 

n 

defined as d£(x,y)= ^ ( x ryd 2 - In order to compute dgfx.y) the players perform the following 
steps: 

Player 1 computes [[x?]] for all f=7,..;, n from its knowledge of the x t . 
Similarly player 2 computes [[y 2 ]] for all i=l,...,n. 
15 - Both players compute [foJJ=[f x?-2x(yi+y?]]. Therefore player 1 sends [[xj] 

to player 2 who can then compute [[2xjyJ] (together with a proof that she used the correct.^/ , 
i.e. the same one as she used in the computation ofy?.} Then they compute [[xt 2 -2xjyi+yi 2 ]]. 

Finally, they compute [[dsfay) ]] by making use of the homomorphic 

ft n 

properties of the encryption scheme as follows, [[d E (x t y)J] = J~[ ffoJJ = ff^ oJJ. 

/=i /=i 

20 - By using fair threshold decryption, the result is obtained. 

Again, the threshold version of this computation is considered, i.e. the case 
where one (or both) of the players only get the answer to the decision problem d E (x t y)> fi for 
some threshold . In that situation, both players have to use the binary representation of their 
inputs and compute in binary representation the values of the outcomes ffoJJ. Then, they 

n 

25 compute the binary representation of 0, by using the same methods as explained before. 

/=] 

Then, they carry out the "Millionaires" protocol to obtain the encrypted result. Finally, they 
use fair threshold decryption to reveal the solution to both players. 



WO 2005/043808 



PCT/IB2004/052259 



14 

As a seventh second application of the conditional gate, another well-known 
similarity measure for comparing two vectors is shown, the normalized scalar product, which 

n n 

is defined as <x,y> = \\y\]) where ||x||=v(]£ xf). As the data x,y are 

private, the numbers l/\\x\\ and l/\\y\\ can be computed privately by the respective players. 

n 

5 The sum xpj] can be computed using the homomorphic properties of the El Gamal 

/=i 

encryption scheme. Using the homomorphic properties once more, one obtains < x,y > . 
Finally, the value is obtained by applying (fair) threshold decryption and by extending the 
technique of P-A. Fouque, J. Stern, G-J. Wackers, "CryptoComputing with rationals", in 
Financial Cryptography, 2001, to deal with rational numbers to the El Gamal case. 
10 In order to solve the associated decision problem, i.e. to decide whether < x,y 

> > ii for some well defined threshold /J, all computations have to be done in the binary 
representation as explained before. Moreover as 0 <fi <1 , it looks favorable to solve the 

n 

following associated decision problem: ]jT xpi >\\x\\ Then the "Millionaires" . 

/=i 

protocol has to be applied. Finally, the result is obtained by applying (fair) threshold 
15 decryption. 

In order to illustrate the wide applicability of the invention, an eight 
.application of the conditional gate is shown: secure auctions. 

An auction consists of two phases: a bidding phase during which the 
participants send their bids to the auctioneer, and an opening phase during which the 
20 auctioneer announces the highest price and the identity of the winner. 

The following model is assumed. There are m bidders, P;,..., P m . The bids are 
given by X]=(x lttl „i,..., x ltQ } 2 ,..., x m -(x m/l .i 9 ... $ x mt0 ) 2 . The representations are ordered from msb 
to lsb in this notation. The bidders encrypt their bids with the joint public key of the servers, 
and send those to the auctioneer; [[xJ]-[[x iJn -}]]^^ [feu]]- There are £ servers. The method 
25 for highest price auctions will be described. 

An algorithm for determining the identity of the highest bidder is presented. 
This algorithm is used by the servers to determine securely the highest bid and the identity of 
the highest bidder(s). Here fore, a set of n+1 selection vectors w t e {0,l} m , i— n-1 is 
defined that keep track of the identities of the highest bidder up to bit i (starting from the 
30 msb). The algorithm starts with the vector and the identity of the highest bidder is 

contained in the vector w.j . In order to give the dynamics that updates w, to , a second set 
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of vectors Ue fOJ} m+I *=0,..., n-1 is defined. The vectors U check whether the vector xjwj 
equals the zero vector. The y-th component of the vectors w it U is denoted by w jtit t Jti . The 
initial condition for the / vectors is given by toj-0 for y-0,..., n-1 and for the w- vectors is 
given by w„„]~(l,...,l). The polynomials are defined by F(s t z)=s+(J-s)z and G a (s,z)=s(z+(1- 
5 z)(l-a)). The dynamics is then defined by the following updating rule: t Jti =F(tj.] ti , xj ti wj ti ), 

t niti =F(... F(F(toi,X]iWji),X2iW2i)...), and w Jfi -i = G tmt (wj,i> x Jti ), for i=n-l t ...,0 starting with i=n-l 

and for each i , the counter j runs from 1 torn . Note that t mi -l means that at least one of the 
components of the vector xjwj equals one. In order to compute the vector w./ securely, the 
servers use the generalized millionaires protocol based on the conditional gate. 

10 When the vector w.y has been computed securely, the servers use fair threshold 

decryption to decrypt the entries of the vector . The identities of the winning bidders 
correspond to the positions of the entries of w.j that are equal to one. Using this identifier, 
they can find the corresponding highest bid and use threshold decryption to decrypt it. 

This protocol satisfies the same advantages as formulated by Juejs and 

15 Jakobsson in US patent aforementioned, in particular it satisfies: non interactivity, auction 
adaptability, full privacy, robustness, multiple servers and public verifiability, while it avoids 
the relatively computationally expensive Mix computation. 

This protocol can be extended to Vickrey (second-price) auctions. A Vickrey 
auction is an auction where the highest bidder wins but the clearing price, i.e. the price that 

20 the winner has to pay, is equal to the second highest bid. In order to perform a Vickrey 

auction, the following approach is possible. First the servers determine the identities of the 
winners (but not the winning bids) with the protocol given above. Then, they remove the 
winners and their bids from the list. Finally, they evaluate the following set of polynomials, 
Pf=FC...F(F(0,xjjW]J,x m jW m j), for j=n-l,...,0 and where Fis as defined above. The vector 

25 p=(p n -i,.~, po) contains then the maximum bid price. 

Finally, two applications using the private-multiplier multiplication protocol 
are shown. The first application is the generalized millionaires problem. 

In the millionaires problem, the respective inputs x and y are both private to 
the players. In many applications (e.g. secure profile matching), however, one or both of the 

30 inputs will be shared. If only one input is shared, say jc , the multiplication can still be used 
with a private multiplier protocol at a few steps in the algorithms. For the millionaires 
algorithm this leads to 2n private multiplier protocols and n dichotomous multiplication 
protocols. If both inputs are shared however, it is necessaiy to use the dichotomous 
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multiplication protocol at all steps, giving 3n uses of the dichotomous multiplication 
protocols. 

If one input is shared say jc , and the other input is a known constant T, the 
following protocol is possible. Replace yj with 7} for j=0, n-1 and compute {[[x r TJ]} for 
5 j=0..n-l by using the homomorphic properties of the encryption scheme. In this way the 

problem is transformed into the inequality x-T>0 . Then, only the computation of f[v(x r Tj)JJ 
has to be done with the dichotomous multiplication protocol (leading to n dichotomous 
multiplications). 

As a second application, secure profile matching is shown. 

10 In recent years, the availability to users of large amounts of content (audio, 

video, text, etc) in electronic form has called for the development of methods for information 
selection. Such methods are most commonly based on the idea of personalization, where 
information is selected for a given user according to the profile of preferences of that user. 
Such systems are generally known as recommended systems. 

15 Collaborative filtering techniques are recommended systems in which the 

recommendation of content is based on the similarity between the profile of a given user and 
the profiles of other users (and not in the features of the content itself). If the measure of 
similarity between any two profiles is high enough (according to some pre-defined criterion), 
the system can recommend to one user the highly appreciated content items of the other user, 

20 which have not yet been seen by that first user. 

Here this setting is extended to the ad -hoc case where two users can compare 
their profiles and find out whether they have a similar taste. If so, they might start a 
procedure to exchange content with each other. If not, the protocol guarantees that no other 
private information is leaked than the fact that the profiles are not similar. 

25 By private comparison of two profiles, it is meant that the users compute 

securely a beforehand agreed test function. In a second phase they compare this (encrypted) 
value securely with a threshold; i.e. at the end of the protocol, the only knowledge the players 
get is whether the value of the test function exceeds the threshold or not. 

The participants are assumed to have an authenticated channel with each other. 

30 For sake of clarity this description is restricted to the case where the private profiles of the 
users consist of binary vectors denoted as x and y but extensions to non-binary vectors are 
also possible. 

A first measure for comparing two vectors is given by the number of entries in 
which they differ. This measure can be defined in terms of the Hamming distance dn(x,y) 
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» 

between two vectors x,ye {0J} n which is given by d H (x,y)= 5(x r yi) 9 where 8(x)=0 if 

/=i 

x=0 and 5(x)-l if jc**0 . The second measure considered will be the scalar product defined as 

n 

ds(x,y)- ^ xjyt. The goal of this section is to show how dH(x,y) and ds(x,y) can be computed 
/=i 

and compared to a threshold in a private way. 
5 The private computation of d H (x,y) can be performed by running the private 

multiplier multiplication protocol and using threshold decryption to decrypt the result. The 
private computation of d s (x,y) is also based on the private multiplier multiplication protocol 
and the homomorphic properties of the ElGamal crypto system. 

A more interesting situation arises when the decision problem d H (x t y) > fi or 
10 d s (x,y) > fx for a threshold fi chosen by one or both of the players has to be solved in a private 
way. It is assumed that fj, is given in its binary representation JUo. The next protocol 

solves the decision problem for d H (x t y) 9 whereas the situation for d$(x,y) is completely 
analogous and the details are therefore omitted: 

First, the players set up a threshold ElGamal system using a key generation 

15 protocol. 

For each component iW,...,w both players compute securely [[oJ]=[[ SCx r yj) ]] 
using the "socialist" protocol of the section on the Millionaires problem or by computing 
ffoJJ=ff(xryi) 2 JJ using the private multiplier multiplication protocol. 

w 

They compute privately the bit-representation of [[s]]=[[ ^ oJJ. 
20 As a result the players obtain ([[s n -]]J,...,[[S(J])2 ; the binary representation of 

[ft, oJJ. 

The players carry out the millionaires protocol on ffsJJ and fffiJJ to check 
whether ffsJJ >[&]]. 

Finally, they apply (fair) threshold decryption to decrypt the result of the 
25 decision problem. 

This protocol requires 0(n logn) exponentiations per player. 

The previous approach can be extended to the case where the entries belong to 
a discrete (bit not binary) domain. The idea is the same but the computations require more 
steps and details. It is emphasized that also in that case, full privacy can guaranteed. 
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Fig. 2 Illustrates the device and computer program product for implementing 
the method according to the invention. 

The device 200 comprises a memory 201, processing means 202, input means 
203, and output means 204, being arranged to implement the method according to the 
5 invention. 

A computer program product 210 may carry instructions that, when loaded, 
cause a programmable device in device 200 to execute the steps necessary to implement the 
method according to the invention. 

It should be noted that the above-mentioned embodiments illustrate rather than 
10 limit the invention, and that those skilled in the art will be able to design many alternative 
embodiments without departing from the scope of the appended claims. 

In the claims, any reference signs placed between parentheses shall not be 
construed as limiting the claim. The word "comprising" does not exclude the presence of 
elements or steps other than those listed in a claim. The word "a" or "an" preceding an 
15 element does not exclude the presence of a plurality of such elements. The invention can be 
implemented by means of hardware comprising several distinct elements, and by means of a 
suitably programmed computer. A single processor or other (programmable) unit may also 
fulfill the functions of several means recited in the claims. 

In the device claim enumerating several means, several of these means can be 
20 embodied by one and the same item of hardware. The mere fact that certain measures are 
recited in mutually different dependent claims does not indicate that a combination of these 
measures cannot be used to advantage. 



